So far unprivileged guest callers running in ring 3 can issue, e.g., MMUhypercalls. Normally, such callers cannot provide any hand-crafted MMUcommand structure as it has to be passed by its physical address, butthey can still crash the guest kernel by passing random addresses.

To close the hole, this patch considers hypercalls valid only if issuedfrom guest ring 0. This may still be relaxed on a per-hypercall base inthe future once required.